Table of Contents
    Home / Definitions / AutoLocky Ransomware
    Security 3 min read

    AutoLocky is ransomware written in the popular AutoIt scripting language. It uses strong RSA and AES ciphers to encrypt files in an infected system, which is denoted by a .locky file extension added to the encrypted files. In addition, the virus generates a ransom note either in the info.txt or info.html file name, which demands a payoff to decrypt the files.

    What Is AutoLocky Ransomware?

    AutoLocky originated in 2016 and impersonates a dangerous ransomware attack known as Locky ransomware. It uses Locky’s name as the file extension (.locky) for the encrypted files to make the attack look more serious; however, it doesn’t change the base name of a file as Locky did. Although it possesses most of the same features, it’s not as dangerous as Locky, which is written in C++ programming language instead of AutoIt.

    AutoLocky targets Windows OS users and is designed to give financial advantages to the hackers, usually demanding 0.75 BTC, approximately $325, as ransom to decrypt files. In addition, AutoLocky’s logo is identical to the Adobe PDF icon, which makes it easier for AutoLocky attackers to trick their targets.

    How Does the Attack Work?

    The AutoLocky virus is mainly distributed via spam emails along with attachments in the forms of MS Word, Excel, or PDF documents. When a user opens the affected document, the virus runs its executable in the Windows Task Manager.

    Once activated on the targeted system, AutoLocky scans all data files and begins to encrypt the files by using RSA-2048 and AES-128 ciphers. After file encryption, a ransom note displays on the victim’s desktop in the file name info.html or info.txt, demanding victims make a payment in Bitcoin (BTC).

    Learn how to prevent many types of ransomware in this Best Practices Guide from eSecurity Planet.

    How Can Victims Respond to AutoLocky Attacks?

    Once notified of the AutoLocky ransomware attack, victims should find the executable name and restart Task Manager to terminate its process. After removing the startup link, download the AutoLocky decrypter tool to decrypt the encrypted files.

    Like other ransomware attacks, AutoLocky does not delete shadow volume copies; therefore, victims can easily restore files using shadow copy restoration software.

    What Specific Steps Should Users Take to Prevent AutoLocky Attacks?

    Defending against AutoLocky-like attacks requires users to follow a few key security best practices:

    1. Back up Data Frequently

    Backing up all significant data is the most effective way to prevent ransomware attacks. The backup files can be stored and protected offline, so attackers can’t easily target them.

    2. Apply Multi-Factor Authentication

    Multi-factor authentication (MFA) requires a combination of something the user knows, like a password, and something they have, like a biometric or a key card. This form of authentication can help prevent unauthorized access to important files.

    3. Enable Spam Filters

    Use strong spam email filters to detect and filter executable files. Strong filtering can stop users from seeing and opening malicious files.

    Looking to better protect your data against ransomware attacks like AutoLocky? Invest in one of the Best Backup Software Solutions.